iTop icon indicating copy to clipboard operation
iTop copied to clipboard
verified publisher icon Combodo

:bug: Use Cancel-Button results in Ajax-Unauthorized Response

Open Hotade1702 opened this issue 10 months ago • 3 comments

Base information

Question Answer
Related to a SourceForge thead / Another PR / Combodo ticket? no
Type of change? Bug fix

Symptom (bug) / Objective (enhancement)

When calling "cancel button" in edit or creation dialog the ajax request responded with unauthorized 401. This results in login mask when using IIS with Windows Authentication. You can continue to use itop without enter credentials, but it appears everytime canceling a edit/new mask. The reason is the Transaction_id validation in ajax.render.php failed. After changing the ReadPostedParam Parameter "sSanitizationFilter" from default "parameter" to "transaction_id" the validation is true and itop is handleling everything fine.

Reproduction procedure (bug)

  1. On iTop 3.2.0
  2. With PHP 8.1.30
  3. IIS and Windows Authentication (The Bug also happend everywhere else but you will only see it in the developer console of the browser that the ajax-result answers 401)
  4. First go and add a new Object (Server as example) or edit any existing cmdb object or ticket
  5. Then do cancel this dialog
  6. Finally, see that a login mask appears, which can be canceled and you can continue to use itop.

Cause (bug)

The reason is when unloading the new object page or edit page the unload function calls a function where the transaction_id verification failed.

Proposed solution (bug and enhancement)

Editing one line in ajax.render.php for header and transaction_id check from using the default parameters of ReadPostedParam to specific parameter "transaction_id" as sSanitizationFilter

Checklist before requesting a review

  • [x ] I have performed a self-review of my code
  • [x ] I have tested all changes I made on an iTop instance
  • [x ] no unit test, because only one line changed with existing functions
  • [ x] Is the PR clear and detailed enough so anyone can understand digging in the code?

Checklist of things to do before PR is ready to merge

Hotade1702 avatar Feb 28 '25 00:02 Hotade1702

Hello, thanks for your contribution :) We'll add the filter you suggest, as it is appropriated and can only be a good thing ! But we couldn't reproduce your problem (with iTop 3.2.0 and PHP 8.1.30, on an Ubuntu server, looking for error in the developer console), and it may be good to know why the transaction_id verification failed. May you please give use some screenshots and more info to reproduce your problem ?

jf-cbd avatar Mar 07 '25 10:03 jf-cbd

hi, i logged both to the error_log in php, when sending without the filter its doesnt result in a transaction id: [07-Mar-2025 16:55:39 Europe/Paris] with_transactionidfilter: DANB81.tmp [07-Mar-2025 16:55:39 Europe/Paris] without_transactionidfilter: In the developer log in browser you can only see it when you have a look in the Network tab: image

When cancel a dialog without transactionfilter i get this in my php log with php 8.1.30 (im not shure if version is really relevant) on IIS: [07-Mar-2025 16:57:04 Europe/Paris] PHP Warning: Undefined variable $sReferer in D:\itop-dev\pages\ajax.render.php on line 72

which is: IssueLog::Error("Unprotected ajax call : $sTransactionId", LogChannels::SECURITY, ['referer' => $sReferer]); (should be 2-3 line higher in your code because i added some lines for debugging (error_log...)

and on IIS with windows-authentication "on" resulting in this popup: Unbenannt

Hotade1702 avatar Mar 07 '25 16:03 Hotade1702

Hello, thanks for your info @Hotade1702 We think we have found the reason of the bug thanks to it and your fix, could you help us to confirm it ? When the error occurs, does your $sTransactionId contain a dot, e.g. "xxx.tmp" ?

jf-cbd avatar Mar 14 '25 15:03 jf-cbd